KB40405 - Certificate based authentication or restriction are failing with Pulse Secure Desktop client 5.2R5 to 5.2R7 if EKU (Enhanced Key Usage) of ClientAuthentication is not present.

Information

Last Modified Date

3/16/2017 9:28 PM

Synopsis

This article describes an issue where certificate based authentication or restriction are failing with Pulse Secure Desktop 5.2R5 to 5.2R7 if EKU (Enhanced Key Usage) of ClientAuthentication is not present in the certificate.

Problem or Goal

After upgrading the Pulse Secure Desktop client 5.2R5 to 5.2R7, certificate based authentication or restriction are failing with the following error message:

This issue occurs due to changes introduced in Pulse Secure Desktop client version 5.2R5 to support automatic certificate selection. The change made during 5.2R5 for "AUTO" selection logic broke the legacy behavior due to which the certificate authentication is failing when EKU field is missing.

Affected versions:

Pulse Secure Desktop client version 5.2R5 to 5.2R7

Solution

To root cause this issue, clarify if the EKU is present in the client certificate. Open the certificate and navigate to Details > Extensions Only. Check if Enhanced Key Usage contains Client Authentication OID as shown in below screenshot:

This issue will be resolved in Pulse Secure Desktop client version 5.2R8 (tentative for Q2 2017). The change was to rank all certificates as the same regardless if the EKU exists or not. KB will be updated once release dates are available.